Applies To:

BIG-IP LTM

BIG-IP GTM

About the Transparent DNS cache

You can configure a transparent cache on the BIG-IP® system to use
external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The
next time the system receives a query for a response that exists in the cache, the system
immediately returns the response from the cache. The transparent cache contains messages and
resource records.

A transparent cache in the BIG-IP system consolidates content that would otherwise
be cached across multiple external resolvers. When a consolidated cache is in front of external
resolvers (each with their own cache), it can produce a much higher cache hit percentage.

F5 Networks recommends that you configure the BIG-IP system to forward queries, which cannot be
answered from the cache, to a pool of local DNS servers rather than the local BIND instance
because BIND performance is slower than using multiple external resolvers.

Note: For systems using the DNS Express™ feature, the BIG-IP system first
processes the requests through DNS Express, and then caches the responses.

About the Resolver DNS cache

You can configure a resolver cache on the BIG-IP® system to resolve DNS
queries and cache the responses. The next time the system receives a query for a response that
exists in the cache, the system returns the response from the cache. The resolver
cache contains messages, resource records, and the nameservers the system queries to
resolve DNS queries.

It is important for network architects to note that it is possible to configure the local BIND
instance on the BIG-IP® system to act as an external DNS resolver. However,
F5 Networks does not recommend this approach, because the performance of BIND is slower than
using a resolver cache.

About the Validating Resolver DNS cache

You can configure a validating resolver cache on the BIG-IP® system to
recursively query public DNS servers, validate the identity of the DNS server sending the
responses, and then cache the responses. The next time the system receives a query for a response
that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The
validating resolver cache contains messages, resource records, the nameservers the
system queries to resolve DNS queries, and DNSSEC keys.

Using the validating resolver cache, the BIG-IP system mitigates cache poisoning by validating
DNS responses using DNSSEC validation. This is important, because attackers can attempt to
populate a DNS cache with erroneous data that redirects clients to fake web sites, or downloads
malware and viruses to client computers. When an authoritative server signs a DNS response, the
validating resolver verifies the data before entering the data into the cache. Additionally, the
validating resolver cache includes a built-in filter and detection mechanism that rejects
unsolicited DNS responses.